[PATCH 06/10] parser: Use full regexps for delegation rules paths

Laurent Pinchart laurent.pinchart at ideasonboard.com
Sat Dec 26 22:05:55 AEDT 2015


Hi Johannes,

On Friday 25 December 2015 16:59:50 Johannes Berg wrote:
> On Thu, 2015-12-24 at 14:06 +0000, Finucane, Stephen wrote:
> >
> > > Paths are validated by trying to compile it as a regexp using a
> > > custom validator.
> > > 
> > > Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
> > > Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
> > 
> > Some small nits that I can fix myself. Other than that,
> 
> A small comment that may or may not be relevant - but there's a bunch
> of things one can do with regexes, from taking a lot of CPU to taking a
> lot of memory.
> 
> What's the trust model for running regexes? I haven't found it in the
> patches easily right now. If it's configured only in the config file it
> should be OK, but if any kind of remote user can configure it then it
> may need safeguards of some kind?
> 
> I'm just thinking of a use case like kernel.org where you don't really
> even trust the people who are the typical delegates/admins in patchwork
> for a given project, since they are pretty much just random people the
> admin doesn't necessarily trust much.
> 
> (Or put another way - I'd hate for them to patch out/disable this
> feature because of security concerns, since I'd want to use it on
> kernel.org, but I'm not sure the admins would want me configuring
> arbitrary regexes there)

I agree with your concerns but haven't given them a thought to be honest. 
Right now only patchwork admins can changes the rules, but as you mention we 
might not trust them.

I've used regexps for convenience, we could possibly replace them with a less 
dangerous type of pattern. One option I was toying with was to create rules 
automatically from MAINTAINERS, but I don't think that would be flexible 
enough.

-- 
Regards,

Laurent Pinchart



More information about the Patchwork mailing list